Top 10 Most Overlooked Aspects of IT Security

Before you hunker down, all comfy and cozy, in front of a crackling holiday fire, hold the fruitcake and eggnog: Feel like you're forgetting something?

A background check? When did it become necessary to do more than call references and verify past employment?

It's easy and tempting to overlook the character issue when hiring employees, or even managing them over the long term. But as the strategic value and importance of IT has risen, so has the need to make sure those with the keys to the kingdom aren't eavesdropping, stealing, or worse.

"It's become more the norm that companies screen all their employees," said Jason Morris, president of Background Information Services, Cleveland. "People quickly realized that IT is one of their biggest liabilities -- when employees take home data tapes, for example. So they may not screen low-level carpet sweepers, but if they have access to sensitive areas, employers screen."

In addition to verifying education and previous employment, Morris encourages making sure there are no unexplained gaps in a candidate's job history. Are they claiming MCSE or Cisco router certifications? Get it confirmed, he suggests. "Driver's records could also be a good measure of responsibility, as are credit reports."

A basic check might include SSN verification, address history, and a search of county records for felonies and misdemeanors. Background research can get even more detailed (and expensive) with searches of sex offender databases, state and national archives, even international resources.

So how much should a company expect to spend on a background check? "It varies, but a good rule of thumb is one day's salary" for the position for which you're hiring, Morris says. "It can be a lot less too."

Doug Shields, president of Secure Networks finds less value in sifting through official records and prefers to drill down more on what he calls "character issues."

Shields, who worked at the CIA for nine years, is more interested in why a prospect left his last job, or if he was an Eagle scout, for example. "That may sound hokey, but it tells you something."

You can also learn about character issues by asking a candidate how they safeguard their own data. Do they use encryption on their personal laptop? Have they even set up a wireless LAN at home, and if so what security protocol did they use? The answers will tell you something about consistency and follow-through, Fields suggests.

And while screening before employment begins is great, it doesn't help much if you don't continue to keep tabs of some sort on employees. "If they go bad over time, you're not going to know about it" unless there's continued monitoring, Shields explains. "It doesn't matter what industry you're in. You have to make sure your stuff is secure and that people only have access to things they should have access to."